Deploying vSphere 6.5 Update 2 Platform Services Controller (PSC) and vCenter in an HA configuration [Part 1]

This will be the first part of deploying your vSphere 6.5 Update 2 Platform Services Controller (PSC) and vCenter in an HA configuration. We will walk through the entire setup starting with the Platform Services Controllers (PSCs) and then move on to deploying vCenter and configuring the HA environment.

Video Demonstration and Discussion

Must haves

  • DNS for every system (this includes the reverse DNS) – All of your PSC and vCenter deployments along with the VIP on your load balancers need this setup before you start
  • NTP
  • Secondary VLAN for the Private Network between vCenter servers and the Witness server (this VLAN must be different than the VLAN used for the management of vCenter)
  • Load Balancers need to be up and ready. There are only three load balancers that are supported by VMware: NetScaler, F5 and NSX. Your configuration is unsupported if you use another load balancer (even if it works). VMware actually does a decent job of going through each of these configurations:
  • Some of the articles talk about putting certificates on your Load Balancers. This is not required. SSL Passthrough (which means you don’t have certs on the load balancers) is a supported configuration. Within this document, I will be doing SSL Passthrough.
  • One thing you should note and not miss, is that the Timeout (or stickiness) of the connections within the load balancers needs to be set to 1440 seconds. The issue, especially with the deployment, is if this is not set, the deploy can fail if it tries to hit one PSC and then at a later time, hits the other PSC. I’ve even gone so far as to shutdown one PSC at a site during the deployment to make sure I don’t have to rebuild 🙂

Deploying the Platform Services Controllers (PSCs)

This process is covered here: VMware vSphere 6.5 Platform Services Controller (PSC) Deployment in a Ring Topology/Replication Agreement with Enhanced Linked Mode

That article will get you setup with four PSCs in two sites along with connecting them with a Replication Agreement. If you are only doing one site, you still need to bring up at least two PSCs in that site. So that article can still be followed, but just stop after you have deployed at least two PSCs (there is also no need to setup a Replication Agreement with just two PSCs).

VMCA 6.5 Update 2 as a Subordinate CA

This step is optional but highly recommended. You can follow this article to get this done: VMCA 6.5 Update 2 as a Subordinate CA

Each of your PSCs that you have deployed will need to go through that article. Each will have a VMCA that can provide certificates to solutions that attach to your deployment (i.e. vCenter).

Further Reading

What you want to do is hit the VIP FQDN (using the https:// side of things) and verify that the certificates you are getting are correct. This will also test the connection to your PSCs!

While this particular post is somewhat short, the amount of setup is not. At the end of this, you should have the following:

  • PSCs behind load balancers
  • Load balancers completely setup
  • A VIP on your load balancers used to connect to them with a FQDN
  • (Optional) The VMCA setup to be a Subordinate CA on all of your PSCs
  • Connecting to the VIP (https://VIP-FQDN) returns a web page of the PSC with valid certificates

Continue to Part 2 of this process once the above has been deployed!

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.